April, 9, 2013 – New Strategies to Secure U.S. Economy from Cyber Depredation

PRINCIPAL INSIGHTS

Cyberattacks on government, public and private industries in the U.S. have caused enormous financial loses and untold damage to our national security. Untold, because often hacking victims in both private and government sectors either are unaware, are reluctant to report (or underreport), thus making it the perfect tool for economic warfare. Indeed, the Defense Science Board public report noted that China has “compromised the United States’ most advanced weapons systems.” While the report understandably didn’t list the weapons, it failed to mention the companies whose systems were hacked. The report warned that the U.S. military is unprepared to win a cyber-conflict. Wrong policies, lack of foresight, budgetary constrains and bureaucracy that shackle the Pentagon, do not apply to the private sector that is able and eager to counter cyber attacks. Their hands are tied because the U.S. law forbids such actions.

* Rep. Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, our keynote speaker, noted that the Internet accounts for one-sixth of the U.S. economy today and that 80 percent of U.S. cyber networks are in private-sector hands.

* Rogers believed (at that time) that there was a good chance that his proposed Cyber Intelligence and Protection Act (CIPSA) would be passed by Congress and signed by the president despite the failures of 2012. The event was on the eve of the House mark-up and passage of its version of the bill, which turned out to be dead-on-arrival in the Senate and was also objected to by the White House. Accordingly, the United States has yet to take the first step in cyberdefense: government and private sector information sharing on cyberattacks.

* Cybersecurity – On the question of who’s responsible for protecting from and remedying the effects of cyberattacks on the economy, Mark Weatherford of DHS referred to our status as that of “Constant Remediation.” When the private sector is attacked, it’s each and everybody’s responsibility to take the necessary measures to prevent further attacks. When the government is being attacked, it is supposed to take care of the problem. They seldom work together.

* More than one panelist, but most especially former Director of Central Intelligence R. James Woolsey, noted that state sponsors of cyberattacks are of two sorts: rational actors (such as China) and not-so-rational actors (such as North Korea and Iran). The presence of the latter means that U.S. cyberdefense has to be ready to protect us against all cyberattacks.

* R. James Woolsey presented a complete (and horrifying) picture the U.S. electric grid vulnerability to cyberattacks. Identifying 18 critical infrastructures in the country, Woolsey noted that all of the others in country depended on the status of the electrical grid. If a substantial portion of the grid were knocked out by cyberattack, or an electro-magnetic impulse (EMP) attack, remediation could take years. Such a circumstance would return the United States, not to the pre-Internet 1980s, but to the pre-electricity 1880s. By his estimate, the prolonged absence of electricity would likely mean that two-thirds of our population could die.

* Woolsey also pointed out that, apart from state public utility commissions and the Department of Energy, no one is in charge of America’s 3,500 public utilities and no one is responsible to protecting the grid. The Department of Energy only regulates transmission (but not distribution) and the state commissions do essentially nothing to protect the grid. America’s public utilities in toto commit less research and development per year than the U.S. dog food industry. Unlike the U.S., Russia, China, Israel and Britain, for example, are “hardening” their grids against attack. The U.S. does not because, in Woolsey’s opinion, “No one is in charge.”

* Christina Ray, cited PLA officers Colonel Qiao Liang and Colonel Wang Xiangsui, from their book Unrestricted Warfare:

“So, which [of many unconventional means], which seem totally unrelated to war, will ultimately become the favored minions of this new type of war-‘the non-military war operation’ which is being waged with greater and greater frequency throughout the world? … Financial War is a form of non-military warfare which is just as terribly destructive as a bloody war, but in which no blood is actually shed. Financial warfare has now officially come to war’s center stage.”

This quote goes a long way to answering those critics who regard “cyberwarfare” and “economic warfare” as exaggerations.

* Former attorney general Michael Mukasey noted that we “have laws against crimes, and at least a comprehensible if not a comprehensive way of applying them. We really don’t have either in the cyber sector;” and, in his estimation, we’ve made no progress over the past decade. Mukasey also noted that, in May 2011, the White House issued a document entitled “International Strategy for Cyberspace,” subtitled “Prosperity, Security and Openness in a Networked World.” He remarked, “I think perhaps a further subtitle for that document, after prosperity, security and openness, might be ‘pick two out of three, so long as the two aren’t security and openness.'” And then there’s the way the document ends, with the pledge that when we do act, it will be in a way “that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.”

* The U.S. government is interested in the dot-mil and dot-gov segments of the Internet. Mukasey cites Cyber Command head General Alexander, as saying “that when he saw a threat to the dot-com portion he thought he had little authority to do more than say – to himself and others in the room – ouch, this is going to be a bad one.”

* In the U.S., the situation regarding cyberdefense is not unlike that besetting our war on terror. Just as we can’t decide where and how to try terrorists, we cannot decide on where responsibility lies, with the government or the private sector:

Witness the Senate and White House rejections of CIPSA.

* Former assistant secretary for policy at DHS Stewart Baker pointed out that there’s been a revolution in cyber attribution, that is, in our ability to find out exactly who’s hacking. It is “not possible to operate in cyberspace these days without leaving little digital bits of your DNA all over cyberspace. It’s just like Pigpen. We’ve got this cloud of data falling off us whenever we move around in cyberspace.” Meaning, hackers are traceable.

* Baker encouraged taking the attribution opportunity: “I’ve been trying to popularize Baker’s Law, which sums up the attribution opportunity this way: ‘Our security sucks, but so does theirs.’ That’s what we need to remember. The hackers are no better at securing their communications and their data than we are, and we know we’re bad at it, right?”

* Baker again: The attribution revolution “creates an enormous set of options for policy makers. Many people know what attribution 101 is. You’ve got all the people who’ve been compromised up on that top line. Then the command and control server which tells them all what to do and receives all their reports about the information. Then headquarters takes that information from the command and control and ultimately passes on to some final customer who actually is going to use the information that has been stolen.

“If we can break down that set of information, we can start penetrating each of those steps along the espionage trail. We can go from attribution to, not deterrence, but retribution.” Baker’s basic position was that deterrence is impossible without retribution first.

* One way to look at where we are now, as Baker noted, is according to the following analogy: “You know how much help you’re going to get from the police if somebody steals your bike: They will tell you how sorry they feel about it, and they will tell you what kind of lock you should buy next time for the next bike you own. That is the treatment we’re getting now from the FBI and the CIA when they don’t have the ability and don’t have the resources to do the help.” According to Baker, the ability and resources exist in the private sector.

* It is instructive to call our current response to cyberattacks “passive defense.” As CrowdStrike’s Steven Chabinsky notes, the entire emphasis is on the vulnerability of the victims and not the actions of the perpetrators:

“It’s absolutely incredible how much cost today is borne by individuals and the private sector in trying to defend their security with little to no return on investment. It’s incredible the amount of time, effort, opportunity cost that’s going into a failed strategy, and how our response to that continues to be information sharing efforts to do more of it. We keep blaming the victim.” Chabinsky likens this to the police sending a locksmith if someone breaks into your front door.

* The current passive approach to cyberdefense actually makes the problem worse. According to Chabinsky, “That’s what we’re doing here, because every time we have our businesses spend more money on security against targeted attacks and raise the bar to this level, guess where the well-resourced, very capable organized crime groups and nation-states bring the threat? To a higher level.” It’s like building a 20-foot wall around a house when thieves can easily buy 30-foot ladders at a hardware store.

* Retaliation and retribution in cyberspace-in other words, cyberoffense as the only conceivable approach to cyberdefense-was generally approved by conference panelists, but none more than George Mason University Law Professor Jeremy Rabkin. He noted that the 2012 Defense Authorization Act, said, “Congress affirms that the Department of Defense has the capability and upon direction by the President, may conduct offensive operations in cyberspace to defend our nation, allies and interests.” And then the Senate said, “Wait. No, we can’t just say that. We’ve got to add, ‘Subject to the legal regimes the Defense Department follows for kinetic capabilities, including the law of armed conflict.’ This meant that consideration of cyber retaliation and retribution should be reconciled with the law of armed conflict and, therefore, effectively neutralized the approval of cyberoffense.”

* Considerable attention is being given when dealing with conflict in cyberspace, to such things as the Geneva Conventions and what the Red Cross has said about the laws of war. According to Rabkin, “Pretty much the Red Cross view of the law of armed conflict is this: it’s how Switzerland would have fought the Second World War–if it had actually been fighting.” Post-Vietnam, Additional Protocol I of the Geneva Convention became something of an international norm. That protocol has it that in armed conflict only military objectives must be involved; nothing must harm civilians or “civilian objects.” This, Rabkin called “utopian” and wholly at odds with how the First and Second World Wars were fought by the Allies. In those instances, we instituted blockades that sought to punish our enemies economically. These certainly harmed civilians and “civilian objects.”

* Non-military retaliation for aggression is hardly new. It dates from the Middle Ages at least and is enshrined in the Article 1, section 8 of the U.S. Constitution, which deals with war at sea. There, the Constitution authorizes the granting of letters of marque and reprisal.According to Rabkin, we don’t need to be at war. Our government can grant letters of marque and reprisal separate from a declaration of war. In the early American Republic, when it was impossible to fight the enemy’s army or navy, such a letter allowed private ship owners to attack the commercial navy of the enemy. Were letters of marquee and reprisal used to take the offensive in cyberspace, they, like those concerning the sea, their message would be clear: “You’re aggressing, we’re retaliating. Maybe something less than kinetic battle would convince you to end the aggression.”

* According to Rabkin, “there’s no good reason why we shouldn’t use cyber attack to damage a lot of property, especially in retaliation for enemies who have already done that to us. It is insane to allow the Swiss to tell us how we fight our wars, and it’s doubly insane to have the Swiss tell us how to fight cyber conflict, which mostly won’t rise to the level of war and is something Switzerland knows even less about than actual armed conflict.”

Further, he says “Is cyber more like naval war–where we disrupt the enemy’s trade and communication, without exempting commerce just because it’s owned by civilians? Or is cyber conflict more like a land war, where we send tanks into enemy territory and then say to enemy civilians, ‘Stay out of our way and we’ll stay out of yours’? I say it’s more like naval war, so what is permissible in naval war should be applicable to cyber conflict.”

* While Rabkin was the only panelist advocating a modern, “cyber” version of letters of marquee and reprisal, all generally agreed that the U.S. government should at least authorize private sector counter-hacking which would otherwise be illegal. Moreover, the general conclusion was that the private sector has the will, fiscal means and technical ability that the government may never have.

Concluding this briefing are notes by former assistant Secretary of Defense and ACD/EWI Board Member, Richard Perle, (who was unable to attend):

* “Would it make sense for us to approach the Chinese with the following proposition: We know what you are doing and we insist that it stop. If it doesn’t, you should understand that we can do to you what you are doing to us. We don’t think there is much to be gained by stealing your intellectual property (it’s mostly ours to begin with) but how would you feel about the publication of your intergovernmental communications made available to your own citizens? In any society governed as the Chinese govern theirs, the threat of disclosure could be a very powerful deterrent.”

* “I suspect that at some point we will begin to hear proposals for a treaty or treaties, or an international convention aimed at creating norms with respect to cross-border intrusions of all sorts. I hope we will resist the temptation to hope that such an approach offers any substantial protection. What it is more likely to do is compromise sensitive information that we are sometimes able to keep secure, and invite the foxes into the chicken coop. The worst prospect of all would be a cyber version of the Non-Proliferation Treaty–a universal convention based on the premise that any country willing to sign up should have full access to advanced computer science from anywhere in the world. We’ve been down that path before.”

Click here for the full report

Additional Videos:

CyberThreat & the Economy, ACD/EWI – Part 1 CLICK TO PLAY – Introduction – Dr. Rachel Ehrenfeld, Director Dean Daniel Polsby, GMU School of Law; Michael B. Mukasey, Former Attorney General; Rep. Mike Rogers, House Permanent Select Committee on Intelligence; Keynote Address